Open Redirect: ringaraja.net
Message contains use of the ringaraja.net open redirect. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open Redirect: ringaraja.net"
2description: |
3 Message contains use of the ringaraja.net open redirect. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == "ringaraja.net"
10 and .href_url.path =~ "/portleti/katalogponudnikov/result.asp"
11 and strings.icontains(.href_url.query_params, 'url=')
12 // negate use of the redirect by ringaraja
13 and not regex.icontains(.href_url.query_params, 'url=[^&]*ringaraja\.net')
14 )
15 and (
16 not profile.by_sender().solicited
17 or (
18 profile.by_sender().any_messages_malicious_or_spam
19 and not profile.by_sender().any_false_positives
20 )
21 )
22
23 // negate highly trusted sender domains unless they fail DMARC authentication
24 and (
25 (
26 sender.email.domain.root_domain in $high_trust_sender_root_domains
27 and not headers.auth_summary.dmarc.pass
28 )
29 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
30 )
31attack_types:
32 - "Credential Phishing"
33 - "Malware/Ransomware"
34tactics_and_techniques:
35 - "Open redirect"
36detection_methods:
37 - "Sender analysis"
38 - "URL analysis"
39id: "4d9594f4-1e96-5afd-a575-8a16d2d79698"